Pragma Core scans every dependency in every repository against a comprehensive vulnerability database. You get real-time alerts on vulnerable packages, clear upgrade paths, and a single view across your entire software supply chain.
The platform parses your dependency manifests, checks every package against known vulnerability data, and surfaces issues with everything you need to act.
1
Parse dependency files
Lockfiles and manifests are detected automatically across npm, Composer, pip, Maven, Go, NuGet, RubyGems, Cargo, and more.
2
Check vulnerability data
Each package and version is checked against known CVEs and security advisories to identify vulnerable dependencies.
3
Surface actionable findings
Vulnerable packages appear with severity, CVSS scores, affected version ranges, and the specific version that fixes the issue.
4
Monitor continuously
New advisories are checked on every sync. A package that was safe yesterday gets flagged the moment a new CVE is published.
Capabilities
Complete supply chain visibility
Multi-ecosystem support
npm, Composer, pip, Maven, Go modules, NuGet, RubyGems, Cargo, pub, and CocoaPods. One scanner covers your full stack regardless of which languages your teams use.
CVSS scoring and severity
Every advisory includes severity classification and CVSS scores pulled directly from the vulnerability database, so your team can prioritize the most critical upgrades first.
Fix version guidance
For each vulnerable package, the platform shows which version resolves the issue. No guesswork about whether upgrading from 2.3.1 to 2.3.4 actually patches the CVE.
Cross-repository view
See which repositories share the same vulnerable package. When a single library affects five repos, you want to know that before you start patching.
Vulnerability lifecycle
Mark advisories as open, acknowledged, fixed, or false positive. Track triage decisions over time and maintain an audit trail for compliance reviews.
Continuous monitoring
Dependencies are re-checked every time the repository syncs. New CVEs published against packages you already use are flagged automatically, with no manual re-scans required.
Most breaches start with a known vulnerability in a dependency
Reduce your attack surface automatically
You cannot patch what you do not know about. SCA gives you a clear inventory of every third-party package, version, and known weakness across all your projects.
Stay ahead of new disclosures
The vulnerability database is checked on every sync. When a new CVE is published against a package in your lockfile, it shows up in your dashboard the same day.
Simplify audit preparation
Auditors ask for evidence that you track and remediate known vulnerabilities. The dependency tracker gives you a time-stamped record of findings, triage decisions, and resolutions.
Consistent process across every team
Whether your backend runs on Go and your frontend on TypeScript, the same workflow applies. One dashboard, one triage process, one set of policies for every ecosystem.
Start tracking your dependencies today
Connect your repositories and get instant visibility into every vulnerable package across your stack.